On Grafana instances using an external authentication service, Grafana Enterprise 7.4.0 introduced a mechanism which allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn’t supposed to have. This vulnerability also allows any unauthenticated user/client to get existing external groups related to a team, knowing the team ID. The vulnerability can only be triggered if you have defined at least one team in Grafana, even if that team is unused.
Statement: Red Hat products do not ship Grafana Enterprise version, therefore they are not affected by this vulnerability.
External References: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#745-2021-03-18